It also strips href/src attributes with unsafe protocols like
javascript:, while also protecting against attempts to use
Unicode, ASCII, and hex character references to work around these protocol
filters.

The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML
Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the
resulting markup is valid or even well-formed. For example, the output may
still contain unescaped characters like <,
>, or &.